Re: Authentication, Wireless and VLans

dyckhscr · ‎02-01-2005

OK, I am stuck.

Have an Ap1210 that I need to have at least 2 secured vlans running on. I have configured the ssid's and associated them with individual vlans. Also have the bridge-groups defined and the associated sub-interfaces on the Radio and FastEth ports. Oh, and currently authentication is open and guest-mode is disabled.

So far so good - if I then configure up a client to access these I have no problem. However, as soon as I try to apply authentication to the individual ssid's or vlans my connection is terminated.

If I use .......

encryption key 1 size 128bit 7 xxx transmit-key

encryption mode wep mandatory

then only the alphabetically first ssid gets access. I have nothing fancy like backend Radius or TACACS servers, but need to lock down the ssid's or vlans in some manner - not so much from each other (the vlans do that nicely enough), but from outside sources.

I would really appreciate anybody's help on this - specifically examples of how this has been done would be great. FWIW I have already digested the "Configuring Authentication Types" document but it hasn't helped me.

paddyxdoyle · ‎02-01-2005

Hi,

Have you tried adding the VLAN ID to your encryption statements?

i.e.

encryption vlan key 1 size 128bit 7 xxx transmit-key

Its an optional keyword, so i would assume if you didn't add it, and you are trying to use a WEP key on your client to associate to your AP then it will fail as the AP doesn't know which SSID your WEP key is bound to.

If this is correct, then currently you should still be able to associate to the AP if your remove the WEP key from your client.

HTH

PD

dyckhscr · ‎02-02-2005

I did do that - however from the client end it makes no difference, I still have open access so long as I have the ssid name. I don't even need to enter the key.

Here's my config for the relevant section .... shortened to 40 bits whilst testing 🙂

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 5 key 1 size 40bit 7 xxx transmit-key

!

encryption vlan 4 key 1 size 40bit 7 xxx transmit-key

!

ssid Name1

vlan 5

authentication open

!

ssid Name2

vlan 4

authentication open

At the moment I have no WEP enabled just so that I know that isn't confusing the matter. However, as a slight aside, can I have multiple WEP keys and associate them to different ssid's?

This is showing up my severe lack of knowledge wth wireless kit but I have asked for training so be gentle with me .....

scottmac · ‎02-02-2005

Do I understand you correctly that even if you force the client to look for a "preferred" AP and (manually configured) SSID, that the client will not associate?

..... and that the same client will associate with the first SSID?

Could it actually be that the client is associating, but not getting a DHCP address (or not able to get traffic through the second (not working) VLAN?

What version of IOS are you running? What version of client software?

Scott

dyckhscr · ‎02-03-2005

>Do I understand you correctly that even if you

Correct - however I am past that now and apols for not having clarified that.

Traffic flows on both vlans upto the point where I apply authentication - at this point it goes astray.

What I am doing is trying to get one vlan working and then I'll move onto the other - however I can't seem to do that. Putting WEP on and making it mandatory is ok, but beyond that it is either me making a basic mistake (likely as I have little experience here) or something else.

IOS is 12.2(13)JA4 and Client is running XP sp2

dyckhscr · ‎02-03-2005

Scrap the part about making wep mandatory - even that doesn't seem to be working now ... grrrr. Have applied the encryption vlan x key 1 etc on one vlan but traffic still flows even though I haven't changed the client configuration.

I may be looking at this all wrong but ..... what I want to do is the following.

Apply a single mandatory WEP key to the whole AP. To do this I am using ....

int d0

encryption key 1 size x xxx transmit-key

encryption mode wep mandatory

Then I want to have authentication on my vlans that is different from the AP WEP and each vlan and using the following ....

encryption vlan 2 key 1 size x xxx transmit-key

encryption vlan 3 key 1 size x xxx transmit-key

Is this not possible? The end result I want is to protect one vlan from the other and from casual snooping from the outside.

dyckhscr · ‎02-03-2005

OK .... we are one step on and I'm probably answering my own questions as I go along ... but worth noting for others maybe.

I now have mandatory wep WORKING on both vlans. I think I realise my mistake in that I was trying to make wep mandatory for the whole AP and that caused only my first, alphabetically, ssid to be available.

OK - now it's time to lock the beast down a little more. Still open to sugegstions on how one ought to do this better - situation is a standalone AP providing access to a single site which has a need to seperate traffic out and a traditional wired lan is impossible.